Is it possible for root user to read Dovecot IMAP users' email messages?

I am wondering if it is possible for the root user to read individual Dovecot IMAP users' email messages, without knowing each user's password.

We have a need to follow-up on customer complaints related to SPAM. Basically, we need to see the SpamAssassin headers for the messages in question.

If there is a way to do this that does not require access to the user's IMAP account?

It seems like this information could be acquired from a log instead, but sifting through log entries (especially after log rotation has occurred) seems like a nightmare. Furthermore, I can't seem to find a SpamAssassin log anywhere. Is logging off by default? And if so, does spamd need to be enabled to use it?

I am already doing exactly as you suggested; the problem is the messages that score below the "kill level" ($sa_kill_level_deflt), but are likely to be spam. These messages are not quarantined, so I do not have a chance to inspect them. (To be clear, messages are not quarantined until their scores are >= $sa_kill_level_deflt, if a quarantine is configured.)

Part of the challenge is that we have set the following directive in /etc/amavis/conf.d/50-user

Code:

$final_spam_destiny = D_DISCARD;

which means that messages scoring over the "kill level" (set at 13 within ISPConfig) are discarded entirely.

Your kill level (6) is quite low, but one has to assume that you are using

Code:

$final_spam_destiny = D_PASS;

so as not to discard legitimate email accidentally.

In other words, the strategy that you describe will work well, but only as long as the final destiny is D_PASS (and not D_DISCARD).

Upon double-checking my policy settings in ISPConfig, I did notice that the "SPAM quarantine cutoff level" is set to zero, however. Is this a problem?

I'm a little confused because the ISPConfig manual states:

SPAM quarantine cutoff level: This is the spam score beyond which quarantine is off. Use a low score (e.g. 0) if you don't want quarantine.

If you quarantine spam, but you would like to delete high scoring spam (therefore reducing the number of items in the quarantine) this setting allows you to discard quarantined spam at this level and above.

Click to expand...

So, what is the effect of setting this value to zero?

It doesn't seem to be that quarantine is disabled, because I still receive quarantined messages. Perhaps using zero means, "Send all qualifying emails to quarantine (don't discard them, no matter how high their scores)," in which case the ISPConfig manual should be corrected.

Two other points of note:

1.) Quarantined messages have the following in the basic header information:

Code:

Subject: Many languages can be learned very quickly
Not quarantined.

Why does the quarantined message say "Not quarantined"? This makes no sense; the message is obviously quarantined, as it is coming to the mailbox specified for quarantined messages.

2.) Quarantined messages also contain the following:

Code:

Content analysis details: (16.8 points, 5.0 required)

From where is the "5.0 required" coming? I am not using the score 5.0 anywhere. I realize that this is Spam Assassin's default delineation point for "ham" vs. "spam", so it must be defined somewhere (even if as the default), but my question is, "Why is this value not being overridden somewhere [e.g., from within ISPConfig]?"

Attached Files:

ok, check your spamfilter users list. ( spamfilter->user/domain) and be sure that the mailboxes/domains are using the policy you want.

Yes, with the quarantine cutoff you can set at what level the email is forwarded to the quarantine admin. 0 = Notification off

The score 5.0? Sure, it must be a score of one policy. Default's scores are in the database and in the 50-user file (but this file is patched for ispconfig's install/update, and scores are pretty high)

Hmm, that explanation of the quarantine cut-off value doesn't seem consistent with the observed behavior. As can be seen in the screenshot attached to my previous post, this value has been set at zero, yet I do receive quarantine emails for messages with scores >= "SPAM kill level".

I have tried hunting-down the 5.0 score, and it's not in 50-user. I see the defined defaults there, however:

I'm willing to write a script to parse the log, but that's another issue entirely. I don't see detailed SpamAssassin information in /var/log/syslog (on Debian). I asked this question in my initial post: does one have to use Spam Assassin in daemon mode to enable detailed logging?

And reagrding your original message, all emails are stored as plain text files in the maildir folders of the mail accounts, so you can see the scores in the headers as root user with any text editor or search the files with grep and sed, no need to use imap.